<CABirCh9rBjtHO74ogkNeRe6COTS-oe2Q8fYswjCG_quY2RMAGw@mail.gmail.com>
Current votes: None.
On Tue, Oct 25, 2011 at 11:46 PM, Adam Barth <w3c@adambarth.com> wrote: > On Tue, Oct 25, 2011 at 8:41 PM, Glenn Maynard <glenn@zewt.org> wrote: > > It would fully break the basic use cases of Referer--being able to tell > what > > server is inlining resources on your server and causing it to be > hammered, > > and being able to do something about it. "rel=originreferer" mode > doesn't > > have that problem, though. > > It's a matter of weighing the privacy and security benefits against > the costs to that use case. If you're interested in that use case, > you might be interested in Anne's From-Origin proposal, which > addresses it head-on. > From-Origin doesn't allow selectively revoking access to a resource, without revoking it from everyone. From-Origin also assumes a very small set of origins which can access a resource. If you have lots of domains (Google) or dynamically-generated domains (Blogspot), it falls apart quickly. I'd be concerned about losing this functionality of Referer before From-Origin is fully proven. I have doubts of From-Origin being a realistic replacement for it.